| Author |
Message
|
| dsreddy447 |
 Posted: Tue Sep 22, 2015 7:03 am Post subject: issues on setting CHLAUTH |
 |
|
Novice
Joined: 20 Aug 2015
Posts: 12
|
The below is the process which we performed.
Thing is we have applied backstop rule here.
system.admin.channel.event this is the queue where we can see the error if the connection is not established. this queue will show you the queue depth if connection is failed. If the connection is successes then no issues.
Goal: we have 3 channels currently working fine in MQ v7.5. But my question is we need to enable chlauth on this queue manager.
1. we need to run backstop rule to disable all the channel connections.
2. only 3 channels should work which I mentioned the channels names below.
we have done the below procedure but we are not able to provide access to below channels. Please let me know the solution for the below issue
mqsicreatebroker APPTEST -q APPTEST -s active
DEFINE LISTENER(APPTEST.LISTENER) TRPTYPE (TCP) CONTROL (QMGR) PORT(1419) DESCR('MQ Listener object') REPLACE
START LISTENER(APPTEST.LISTENER)
ALTER QMGR CHLAUTH(ENABLED)
DEFINE CHANNEL (APPWATCH) CHLTYPE (SVRCONN) TRPTYPE (TCP) DESCR ('SVRCONN channel for APPWATCH access') MCAUSER ('') REPLACE
DEFINE CHANNEL (CLIENT.T.IBMUSER) CHLTYPE (SVRCONN) TRPTYPE (TCP) DESCR ('SVRCONN channel for CLIENT access') MCAUSER ('ibmusr') REPLACE
DEFINE CHANNEL (CLIENT.T.IBMADMIN) CHLTYPE (SVRCONN) TRPTYPE (TCP) DESCR ('SVRCONN channel for ADMIN Team use') MCAUSER (' ') REPLACE
dis chlauth(*)
1 : dis chlauth(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
SET CHLAUTH(*) +
TYPE(BLOCKUSER) +
DESCR ('') +
USERLIST(*MQADMIN) +
ACTION(REMOVE);
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule') WARN(YES) ACTION(REPLACE) |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Sep 22, 2015 7:41 am Post subject: Re: issues on setting CHLAUTH |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dsreddy447 wrote: |
| 2. only 3 channels should work which I mentioned the channels names below. |
I don't see where you're setting up the channel authority rules to allow those channels to work. I see the backstop to prevent any channel working that's not specifically authorized, but not the specific authorizations. Please post these additional commands.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| dsreddy447 |
| Posted: Tue Sep 22, 2015 7:55 am Post subject: |
|
|
Novice
Joined: 20 Aug 2015
Posts: 12
|
please help us here
we are not sure on the authority commands to enable only this channels.
we stuck here |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 22, 2015 8:07 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| dsreddy447 wrote: |
please help us here
we are not sure on the authority commands to enable only this channels.
we stuck here |
Have a look HERE, as well as at the other related posts by Morag...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dsreddy447 |
| Posted: Tue Sep 22, 2015 8:29 am Post subject: |
|
|
Novice
Joined: 20 Aug 2015
Posts: 12
|
we have gone through this link already, but we don't want to specific ipaddress and specific user restriction. except from these channels if any other channel being used then that should be restricted and the given 3 channels should be accessisible.
please let us know what commands we need to add or remove to this above procedure |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 22, 2015 8:33 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You need to set specific rules for those channels.
They need to be configured to provide access from the users or locations that you want.
You also need to set specific rules, if those users are "mqm" (or "") to allow *MQADMIN to connect.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| dsreddy447 |
| Posted: Tue Sep 22, 2015 8:41 am Post subject: |
|
|
Novice
Joined: 20 Aug 2015
Posts: 12
|
sorry to ask but its little urgent
please tell me what are the specific rules to be performed.
please share the commands as we are not able to give exact commands |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 22, 2015 8:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Your urgency is not really an issue for me.
You need to issue CHLAUTH commands. That refer to your specific channels. That allow them to be accessed.
And CHLAUTH rules that refer to your channels and do not prevent *MQADMIN from connecting.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 22, 2015 9:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dsreddy447 wrote: |
| we have gone through this link already, but we don't want to specific ipaddress and specific user restriction. except from these channels if any other channel being used then that should be restricted and the given 3 channels should be accessisible. |
So if you only want these 3 channels used, and don't care who's using them or from where, why not simply delete the back stop rule and all other channel definitions apart from those 3?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 22, 2015 9:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| dsreddy447 wrote: |
| we have gone through this link already, but we don't want to specific ipaddress and specific user restriction. except from these channels if any other channel being used then that should be restricted and the given 3 channels should be accessisible. |
So if you only want these 3 channels used, and don't care who's using them or from where, why not simply delete the back stop rule and all other channel definitions apart from those 3? |
He/She would still have to create rules that did not prevent these channels from being used. I.e. that allowed *MQADMIN to be used on non-system channels.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 22, 2015 7:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
It is not a good thing to remove the admin backstop rule like you did:
| Code: |
SET CHLAUTH(*) +
TYPE(BLOCKUSER) +
DESCR ('') +
USERLIST(*MQADMIN) +
ACTION(REMOVE); |
What you should do instead is create a blockuser type rule that is more specific (i.e. channel name instead of * in the chlauth field) and denies an id that nobody would use. That channel is then enabled for "privileged" access.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
